Books

Wednesday, 09 November 2011

How to manage passwords with some, little, or no effort

One of the most important password use guidelines is to never use the same password for multiple logins. To practice this rule you must remember potentially dozens of passwords for sites you routinely visit. Few people can remember large numbers of password, though, so let's consider several ways that you can manage passwords.

"Remember me"

A common practice for Internet users is to use whatever method web sites offer to help you remember the password you create when you next visit the site, such as a cookie. A cookie is a set of information about a user that a web site leaves on your computer. The web site reads this information when you next visit the site. When you choose Remember me or the equivalent at a web site during a login attempt, you give the site permission to save your identity and password in a cookie.

This option is ubiquitous and convenient; in fact, it's such a common practice that people actually write and publish scripts to force browsers to store passwords even for sites that prohibit it.

While convenient, this choice has certain risks and unknowns. Cookie characteristics like persistence and quality of encryption vary from site to site. Certain cookie implementations are vulnerable to theft by malware (e.g., ZeuS), poisoning, and session hijacking attacks . Since you can't be certain how every site deploys cookies, it's worthwhile to learn how sites you visit use them. If you are a convenience seeker, however, this is probably *not* something you are likely to do.

And frankly, you can do better.

"One password to remember them all..."

Rather than rely on cookies, consider securely storing the passwords for your many logins using a secure personal data or password manager. These best among these store all your passwords or personal data securely using strong encryption methods. Typically, the only password you must remember when you choose this alternative is the password you create that "opens" your encrypted passwords file.

When you visit a site that challenges you for a password that you've stored, launch the password manager, and it will prompt you for the location of your encrypted file, and then prompt you for your "master" password. Keep your USB safe. Scan it routinely for malware (especially if you choose not to disable write access!).

Many password managers are available. Consider trying the oft-recommended 1Password, KeePassX or MacOS Keychain services. Certain password managers are available for several devices and operating systems. By choosing one of these you will be able to use a familiar software, UI, and a common passwords file.

If this is too much work, you can choose to not try to remember passwords at all, but instead make use of password reset features. I call this alternative...

Create a Password Manager Thumb Drive?

Consider having your password manager create your encrypted passwords file on a removable drive rather than on your PC/Macintosh hard drive and install the software on the drive. You'll then be able to use the password manager on multiple systems.

Prepare the USB drive as follows. Securely erase and reformat (1, 2) a removable drive so that you begin with a data and malware free drive. Disable write access on the drive (3, 4 for Windows, 5 for Mac OS) Finally, install the software on the hard drive, create a strong password (my article) for access to your passwords file, and enter your passwords. As a final step, back up the file(s) on a second removable media and store this backup copy in a safe location.

Note: If you need to add passwords to the file, you can enable write access for this purpose then write-protect the drive when you are done. The same articles that explain how to disable write access explain how to toggle from read only to read/write.

Warning! If you have a history of losing USB drives, however, you do risk that whomever obtains your drive may attempt to decrypt your password files using decryption or password cracking tools. You run this same risk, of course, if you lose your laptop.

Set, forget, reset: The Poor Man's One Time Password

When you first visit a site, create a strong password. Other than having to remember this string long enough to confirm the password you compose, don't bother to remember it at all. When you next visit the site, use the Forgot your password? feature, wait for the site to send reset instructions to the email you provided when you created your account, and then follow the instructions to create a new password.

This method emulates a one-time password system. Note that for many sites, you may not even have to remember your account ID. Before you dive headlong into this "free at last" strategy, recognize that there are some risks to relying entirely on this method. The site may change its password recovery practice. You may change or (by changing employers or email providers) lose access to an email address. Your email account might be hijacked. Thus, while set, forget and reset is not a bad strategy for sites you visit infrequently it is probably not the best choice for important sites such as your bank, or sites you frequently visit.

Closing Remarks

We all have far too much information to manage or remember. By adopting some form of password management, you not only prune what you need to remember, but you'll better protect yourself against impersonation.

Comments

You can follow this conversation by subscribing to the comment feed for this post.

Password may soon be obsolete because of the facial recognition boom. I would however like to see a facial recognition and finger print reader (the one that reads a pulse, heat, depth of finger print besides the obvious print pattern)

I find the "password reset" / "short-term-login-token by email" idea interesting for users and sites in the case where you expect a password to be compromised (perhaps not using SSL for some reason). Not good practice, but better than leaving user-set passwords dangling in thin air.

Aside from that though this raises another important point: if someone compromises your email account they can compromise everything, regardless of how strong your other accounts' passwords are. I don't recall ever seeing an "opt-out" option for password reset by email.

To that end I'm glad to see Google adopting banking-grade authentication, even if it's opt-in.

Thank you for the kind words. I will try pidder and if I find it as interesting and solid as you claim, I'll add it to the post. Or perhaps I'll find time to write about circumstances where some of the other features you mention can be useful.

As you are mentioning 1Password and KeepassX - may we call your attention to pidder. It's a Privacy by Design web-based password manager that provides also identity management, anonymous, pseudonymous, or public use and encrypted communication.

Great article btw. - there can't be enough awareness nowadays concerning this topic.